Our Healthcare Data: 10 Myths Busted*

If data is the new oil, then healthcare data is one of the critical component. For us, healthcare consumers here are 10 myths to bust:

Myth 1: We own our medical records. Technically as healthcare consumers, we access our records & can get or make copies either digitally or in paper format, but mostly we don't own our own medical records, as strange as that may sound. Ownership is complicated to decipher and usually depends on federal & the local legislation that one is located in. For ex: whereas in California, the ownership of medical records is with the facility that created them, in Texas, medical records belong to the physician. As of now, much of healthcare data remains locked within proprietary enterprise systems, which provide the underlying tech plumbing.

Myth 2: HIPAA applies to all settings. The Health Insurance Portability & Accountability Act (HIPAA), came into effect in 1996 when we were still in the 'silo'-IT era, not in the 'connected'-digital era. HIPAA applies to 3 main ‘Covered Entities (CEs)’: Various Health Providers, Payers & Clearinghouses. Contractors & sub-contractors who work with the CEs are bound by business associate agreements. Employers, life insurers, health clubs, spas etc are outside of the purview of HIPAA. An exception is when the setting interacts with a CE, say for ex: a gym running a fitness initiative for a health payer or a provider. 

Myth 3: All kinds of data is protected by HIPAA. Traditionally HIPAA protects the patient-provider interaction data. Think of it as the case notes compiled by our clinical community (physicians & nurses) in a care setting. The data generated by the fitness devices & wearable, that we use for our own personal improvement is also outside HIPAA. But if the wearable data has to be sent to the CE (as is increasingly the case now in remote patient monitoring), then it is within the purview of HIPAA. This is one reason why there was a rush by several wearable manufacturers to be HIPAA compliant. Most of life style data today is outside of the purview of HIPAA, which means that how often we visited the gym, what we purchased at the local supermarket etc is not bound by the HIPAA privacy rule.

Myth 4: Electronic Medical/Health Records provides a complete & realistic picture of our health. To borrow from finance, the electronic medical records are the balance-sheets, which provide a snapshot in time. They are not the full annual profit & loss statements which is the holistic performance over the total time period. To form a complete view of a person, we need both: medical & non-medical (life style) data, over as long a period of time as possible to form the Longitudinal Life Record (LLR). LLR is most akin to the longitudinal studies which are known for their long duration & meticulous data collection. The most famous example is the Framingham Heart Study that has provided us with much data on incidence & risk factors.

Myth 5: All of our medical data only remains within the four-walls of the physician office, podiatrist, health system, pharmacy, labs that we visit. HIPAA does allow the CEs to share de-identified & anonymised patient data info as long as they follow either of the 2 de-identifying methods: Safe Harbor (removing 18 categories of individual identifiable data) & Expert Determination (where a person with sufficient knowledge & experience in statistics approves that the info is de-identified). This clause facilitates beneficial studies combining large data-sets from multiple sources. We derive benefits in public health, epidemiology studies, life sciences research, retrospective cost analysis, operational improvement & so on. But, unknown to many, there is also a significantly large secondary market where the medical data (stripped of identifying patient name, gender & full ZIP code) is leveraged further. Data from multiple sources like the census data, DMV data (driver license & vehicle info), social media feeds, patient surveys, patient self-reported data, magazine subscriptions, retail purchase data etc can be brought together and then analysed to form various inferential theories.

Myth 6: It is not possible to identify the patients from the anonymous data. When the existing rules & regulations were put in place in the paper-based IT era, the obvious logic was that it would be nearly impossible to identify someone. But in today's digital-era with availability of multiple data sources & cheap computing resources allow one to connect-the-dots and deduct the identity with a reasonable level of accuracy. There are several studies that show that using much publicly available data sources like hospital discharges, census data etc, one can lead to re-identification of anonymized data. In Australia, there was another interesting study that noted how de-identified patient data can be re-identified.

Myth 7: Monitoring & Tracking spending habits only applies to non-healthcare setting and not to our lifestyle data related to healthcare. What we do outside of care setting (which is the bulk of time) has a much bigger impact on our health than what happens within the care setting. That is why much of our life lifestyle data when mashed up with the enterprise healthcare data provides a full longitudinal record of what is actually happening. Lifestyle data includes all the social, economic, environmental, cultural factors. What we buy, what we eat, where we live, how educated we are, how much we earn, what we say on social media, what is our relationship status, what is our financial standing etc. And all have an indirect impact on our health. For providers & payers, this mash-up may often provide additional opportunities within the population to identify cohorts of patients that need dedicated follow-up or those that are in urgent need of specific intervention. This allows to control costs for bundled payments & various value based care programs.

Myth 8: All the lifestyle data delivered by various data intermediaries always provides a true picture. The various data intermediaries use advanced statistics based analytics models and more recently machine learning to make 'inferences' from the data. And as we know from our statistics lessons, its the retrospective data quality, sample size & reference frame that matter most when making prospective decisions. Incomplete data or errors can blow up and lead one to reach to inconsistent or frankly wrong conclusions. Anecdotally as the saying goes: Torture the data & it will confess anything you want. My favorite example is deducting correlation between S&P 500 and butter production in Bangladesh.

Myth 9: We always say exactly what we do. We all know by experience that what we say and what we do/have done are not always the same. That same applies to healthcare also. Patients do not always disclose all the information to their physicians. In other words, patients may lie to their care givers. There are several reasons for this but to oversimplify it we don't want to be judged for a failure (failure to keep up to a plan) or admit an embarrassing detail (for ex: contracting a sexually transmitted infection). This is exactly why economists have argued for long that we don't always make the best choice and that applying behavioral economics can actually impact the outcome dramatically.

Myth 10: We, as healthcare consumers will never ever have a direct say in how our data is used. Regulators (from CMS to FTC) & policymakers (from Congress to States like California) are keenly observing the market shift. Regulators do want to provide us access to 'our own enterprise grade' healthcare data by promoting APIs and thus encourage medtech innovation. As breadth of data sources expands, we will surely have a much larger role to play. But the pace is yet to pick up compared to what is happening across the pond in Europe. In Eu, healthcare consumer privacy focused reform like GDPR and the financial services innovation & Fintech encouraging initiatives like Payment Services Directive (PSD-2) are starting to make some dent in the market. We should expect to see & hear further debate on opening innovation in healthcare. And sensing an opportunity, the start-up ecosystem is once again talking about the personal health record, albeit this time with the added underlying backbone of distributed ledger technology & Blockchain and aided by financial or in-kind incentive of 'monetization'.

As the digital panopticon expands, it seems that we can run, but we cannot hide. Till further regulation & clarity in enforced what should we do? Start by being aware of our rights whenever we have any health consultation. Next time you sign those papers at the physician surgery, inquire what are the secondary are the secondary uses of the healthcare data. And till the time, the policy makers devise something on the lines of an objective 'Health Score' (like the Credit Score often used in financial decisions), adopt your buying behavior by assuming that all that we do is being analysed. Good living behavior then, does seem to have its merit!

*Disclaimer: This article is applicable to the US market. It expresses my individual opinion and does represent views of any of my employers.